Role based access control is very simple: every user has a list of roles, which that user is allowed to assume, and every restricted part of the app makes an assertion about the necessary roles.

With assert_user_roles, if the user is a member in all of the required roles access is granted. Otherwise, access is denied. With assert_any_user_role it is enough that the user is a member in one role.

For example, if you have a CRUD application, for every mutating action you probably want to check that the user is allowed to edit. To do this, create an editor role, and add that role to every user who is allowed to edit.